I would need one for successful and failed attempts. I appreciate the help as I know you guys are busy. For whatever the reason, I cannot seem to find examples for this. I am a bit lacking in knowledge regarding the rules for VNC. Anyway thanks again for getting back to me. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Monday, October 21, 2013 10:49 AM To: [email protected] Subject: Re: [ossec-list] VNC Windows Server Alerts
On Mon, Oct 21, 2013 at 10:29 AM, Forums <[email protected]> wrote: > Here is the copy of the logs I sent out from the archive last week. > Also > below: > Were there any other log messages you wanted me to write rules for? Or was it just the one? > Archive log: > > Here is the output from the archives log after the > <logall>yes</logall> option was set. > > > 2013 Oct 14 20:35:43 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: > INFORMATION(2): UltraVnc: (no user): no domain: BEAST.mydomain.local: > 14/10/2013 20:35 Invalid attempt from client 192.168.2.3 > > 2013 Oct 14 20:36:11 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: > INFORMATION(1): UltraVnc: (no user): no domain: BEAST.mydomain.local: > 14/10/2013 20:36 Connection received from 192.168.2.3 > > 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: > INFORMATION(9010): Desktop Window Manager: (no user): no domain: > BEAST.mydomain.local: A request to disable the Desktop Window Manager > was made by process (VNC server for X64/win32) > > 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: > INFORMATION(9013): Desktop Window Manager: (no user): no domain: > BEAST.mydomain.local: (no message) > > 2013 Oct 14 20:36:19 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: > INFORMATION(3): UltraVnc: (no user): no domain: BEAST.mydomain.local: > 14/10/2013 20:36 Client 192.168.2.3 disconnected > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of dan (ddp) > Sent: Monday, October 21, 2013 10:07 AM > To: [email protected] > Subject: Re: [ossec-list] VNC Windows Server Alerts > > On Mon, Oct 21, 2013 at 9:59 AM, Forums <[email protected]> wrote: >> Any ideas? >> > > Sorry about that, missed the email with the logs. > > <rule id="300000" level="1"> > <if_sid>18100</if_sid> > <match>UltraVnc: </match> > <description>UltraVNC blah blah</description> > </rule> > > <rule id="300001" level="1"> > <if_sid>300000</if_sid> > <match>Connection received from </match> > <description>VNC connection</description> > </rule> > > > **Phase 1: Completed pre-decoding. > full event: 'WinEvtLog: Application: INFORMATION(1): UltraVnc: > (no user): no domain: BEAST.mydomain.local: 14/10/2013 20:36 > Connection received from 192.168.2.3' > hostname: 'arrakis' > program_name: '(null)' > log: 'WinEvtLog: Application: INFORMATION(1): UltraVnc: (no > user): no domain: BEAST.mydomain.local: 14/10/2013 20:36 Connection > received from 192.168.2.3' > > **Phase 2: Completed decoding. > decoder: 'windows' > > **Phase 3: Completed filtering (rules). > Rule id: '300001' > Level: '1' > Description: 'VNC connection' > **Alert to be generated. > > >> -----Original Message----- >> From: Forums [mailto:[email protected]] >> Sent: Monday, October 14, 2013 8:55 PM >> To: '[email protected]' >> Subject: RE: [ossec-list] VNC Windows Server Alerts >> >> Here is the output from the archives log after the >> <logall>yes</logall> option was set. >> >> >> 2013 Oct 14 20:35:43 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >> INFORMATION(2): UltraVnc: (no user): no domain: BEAST.mydomain.local: >> 14/10/2013 20:35 Invalid attempt from client 192.168.2.3 >> >> 2013 Oct 14 20:36:11 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >> INFORMATION(1): UltraVnc: (no user): no domain: BEAST.mydomain.local: >> 14/10/2013 20:36 Connection received from 192.168.2.3 >> >> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >> INFORMATION(9010): Desktop Window Manager: (no user): no domain: >> BEAST.mydomain.local: A request to disable the Desktop Window Manager >> was made by process (VNC server for X64/win32) >> >> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >> INFORMATION(9013): Desktop Window Manager: (no user): no domain: >> BEAST.mydomain.local: (no message) >> >> 2013 Oct 14 20:36:19 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >> INFORMATION(3): UltraVnc: (no user): no domain: BEAST.mydomain.local: >> 14/10/2013 20:36 Client 192.168.2.3 disconnected >> >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] >> On Behalf Of dan (ddp) >> Sent: Monday, October 14, 2013 3:01 PM >> To: [email protected] >> Subject: Re: [ossec-list] VNC Windows Server Alerts >> >> On Mon, Oct 14, 2013 at 2:43 PM, Forums <[email protected]> wrote: >>> Okay I will do just that. I am not sure how to turn that on but I >>> will research it and let you know or provide the logs once done. >>> >> >> http://www.ossec.net/doc/syntax/head_ossec_config.global.html#element >> - >> logall >> >> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] >>> On Behalf Of dan (ddp) >>> Sent: Monday, October 14, 2013 2:03 PM >>> To: [email protected] >>> Subject: Re: [ossec-list] VNC Windows Server Alerts >>> >>> On Mon, Oct 14, 2013 at 1:52 PM, Forums <[email protected]> wrote: >>>> I am such a fool. Please forgive me for my stupidness. I did >>>> provide the screenshot of the log files that will need to be parsed >>>> which were windows application logs. Not really vnc itself but the logs. >>>> If you don't hear from me again its because I stuck my tongue in a >>>> light >> socket. >>>> >>> >>> And I don't want to waste a bunch of time trying to figure out how >>> that log event looks to OSSEC. I could spend a lot of time doing >>> that, or you could provide the log from archives.log (after turning >>> on the log all option and triggering the log). >>> Maybe someone else wants to give it a shot though. >>> >>>> >>>> >>>> From: [email protected] >>>> [mailto:[email protected]] >>>> On Behalf Of dan (ddp) >>>> Sent: Monday, October 14, 2013 11:58 AM >>>> To: [email protected] >>>> Subject: RE: [ossec-list] VNC Windows Server Alerts >>>> >>>> >>>> >>>> >>>> On Oct 14, 2013 11:52 AM, "Forums" <[email protected]> wrote: >>>>> >>>>> The log from the windows macines (VNC login) is attached. My point >>>>> is, there >>>> >>>> Sorry about that, I must have missed it. All I saw was an >>>> absolutely useless screen shot of event viewer. I'll take another look after lunch. >>>> >>>>> is currently no rule for VNC, the any logs are probably going to >>>>> point to nothing at this point. I need assistance creating a rule > right? >>>>> >>>>> If I am to turn on all logs feature for the OSSEC server I will >>>>> research that as I have never heard of it. >>>>> >>>>> -----Original Message----- >>>>> From: [email protected] >>>>> [mailto:[email protected]] On Behalf Of dan (ddp) >>>>> Sent: Monday, October 14, 2013 10:58 AM >>>>> To: [email protected] >>>>> Subject: Re: [ossec-list] VNC Windows Server Alerts >>>>> >>>>> On Sun, Oct 13, 2013 at 9:05 AM, Gary White >>>>> <[email protected]> >>>>> wrote: >>>>> > VNC is installed on my windows machine. I have ossec server >>>>> > installed on a Linux machine with agents installed on my >>>>> > workstations. I need to be alerted when someone remotes to my >>>>> > windows >>> machine using VNC. >>>>> > The alert event ID 1 shows in the application logs. Is there a >>>>> > rule like >>>>> VNC.xml for ossec? >>>>> > >>>>> > I cannot seem to get this event to trigger. Pease see attached. >>>>> > >>>>> > localrules.xml >>>>> > >>>>> > <!-- VNC Login --> >>>>> > <rule id="100036" level="11"> >>>>> > <id>^1|^2</id> >>>>> > <match>Connection received from</match> >>>>> > <group>syslog,</group> >>>>> > <description>VNC Login</description> >>>>> > </rule> >>>>> > </group> <!--SYSLOG,LOCAL --> >>>>> > >>>>> >>>>> Turn on the log all option on the server and trigger the log message. >>>>> That way we'll have a copy of the log to work with. >>>>> >>>>> > -- >>>>> > >>>>> > --- >>>>> > You received this message because you are subscribed to the >>>>> > Google Groups "ossec-list" group. >>>>> > To unsubscribe from this group and stop receiving emails from >>>>> > it, send an email to [email protected]. >>>>> > For more options, visit https://groups.google.com/groups/opt_out. >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, >>>>> send an email to [email protected]. >>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, >>>>> send an email to [email protected]. >>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>> send an email to [email protected]. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>> send an email to [email protected]. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups >> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an >> email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups > "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an > email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
